150 likes | 263 Views
Context Aware Firewall Policies. Ravi Sahita Priya Rajagopal, Pankaj Parmar Intel Corp. June 8 th 2004 IEEE Policy (Security). Overview. Background Motivation Policy goals (example) Intrusion detection->Host<-firewalling Management SAFire Milestone conclusions. Background.
E N D
Context Aware Firewall Policies Ravi Sahita Priya Rajagopal, Pankaj Parmar Intel Corp. June 8th 2004 IEEE Policy (Security)
Overview • Background • Motivation • Policy goals (example) • Intrusion detection->Host<-firewalling • Management • SAFire • Milestone conclusions
Background • Why firewall? • Defense in depth against software flaws (software complexity increasing) • Control over services accessed/exposed • Control over information flow across boundaries (platform or network) • Needed: Increased proactive response instead of reactive
Policy goals (example) • Track flow only if the session is initiated by client • By default, restrict all traffic other than allowed services control traffic • Create transient filters for the negotiated data flows • On the negotiated port, restrict access to specific allowed commands/capabilities for that service • When transferring data, block/flag suspicious content (so that it is checked) before it reaches apps • All traffic that causes invalid protocol state transitions must be blocked proactively
Advantages of host based FWs • Visibility into internal traffic – Can protect against internal attacks • Smaller number of flows, More state per flow – Decreased load on aggregation points • Enable finer access control in a mobile environment – Carry your security • Can use end-to-end protocol properties • Allow true end-to-end encryption of traffic which would otherwise be proxied by the network devices
Complex management • Infrastructure firewalls are needed • Host FWs=>number explosion, but valuable • Make security policies easier to map without sacrificing functionality • Make components tend towards autonomous behavior • Make it easier to correlate events across hosts and infrastructure
Why SAFire? • What are the sub-elements of such packet analysis • Allow building finer grain network access control policies • Rich enough to keep up with new network services/changes • Local remediation Abstraction of FW / IDS rules for a host
|---------HOST CONTEXT--------| Capabilities identified • Packet data extraction and filtering • Flow state table management • Application layer rules • Pattern manipulation • Outsourcing policy decisions • Reuse of definitions • Dynamic rule management
Sequence of steps • Express application protocol in a DFA • Map protocol states to the Generic PSM • Extract transition rules from the normalized PSM naming <src, event, dst, action> • Map to SAFire primitives (using tools)
Generic Protocol States Mapped to protocol specifics
Conclusions • United model can comprehend HIPS+FWs • Language extensibility = parallel progress • Model allows security policy verification across implementations • Minimal tradeoff is processing overhead for mapping and translation • Context information on the host can be leveraged for finer access control • Initial prototype shows minimal delay from user POV
Thank you! • Questions/Comments to ravi.sahita@intel.com